[nuclei-template] Detect Dell iDRAC

[kopfjager007]

A template to discovery Dell iDRACs and pull version and firmware version, if applicable.
(technologies/dell-idrac-detect.yaml)

id: dell-idrac-detect
info:
  name: Detect Dell iDRAC
  author: kophjager007
  description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers.
  severity: info

requests:
  - method: GET
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    path:
      - "{{BaseURL}}/restgui/start.html"
      - "{{BaseURL}}/sysmgmt/2015/bmc/info" # Firmware Version and other info (iDRAC9)
      - "{{BaseURL}}/login.html"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - "Dell Integrated Remote Access Controller "
          - "Integrated Dell Remote Access Controller"
          - "iDRAC"
          - "PowerEdge"

    extractors:
      - type: regex
        part: header
        regex:
          - iDRAC/[0-9]{1,2}
      - type: regex
        part: body
        regex:
          - iDRAC[0-9]{1,2}
      - type: regex
        part: body
        name: fwver
        group: 1
        regex:
          - '"FwVer" *: *"([^"]+)"'

[kopfjager007]

@ehsandeep, Just FYI the changes that were made (removing code) to this template results in 100% miss on Dell iDRACs. I just tested the plugin you pushed (with code removed) and it missed every single iDRAC. The code as submitted was tested on Dell iDRAC 7, 8, and 9 (no authentication required). Can you update the plugin as submitted? Otherwise it's pretty useless.

[ehsandeep]

@kophjager007 sure, I've updated the template based on verification of the default login template and updated the detection template accordingly.

default login template worked for Dell iDRAC 6 and noticed different login endpoints for other versions, not sure if they have multiple endpoints for authentication for different versions.

do you want me to add a separate template for different versions? as they have unique and different endpoints we can create different templates for them?

[ehsandeep]

@ehsandeep, Just FYI the changes that were made (removing code) to this template results in 100% miss on Dell iDRACs. I just tested the plugin you pushed (with code removed) and it missed every single iDRAC. The code as submitted was tested on Dell iDRAC 7, 8, and 9 (no authentication required). Can you update the plugin as submitted? Otherwise it's pretty useless.

Made the required changes to keep the template in the original state, again thank you for sharing these templates.

[kopfjager007]

@ehsandeep Thank you. I'm trying to confirm the login; i tested it on an iDRAC8 i know to be using default credentails and it worked but i'm getting false positiives on other iDRACs that are taking an extrodinarily long time to respond. I think the changes made on the login are good and i confirmed to work on the iDRACs i have that also accept defautl creds. I like your idea of having sparate login templates. Maybe that's the best route to go for the login since they changed the endpoint for sure on iDRAC9.

[ehsandeep]

Yes, as they are going to cost the same number of HTTP requests, it's always good to keep them more manageable with a separate template.

[kopfjager007]

@ehsandeep; one last question. For the technologies folder, do you prefer a subfolder if there are mutiple templates for one technology? I had a little extra time this morning on my client and I'm trying to refine this a bit since iDRAC9 has different endpoints than iDRAC6/7/8. Plus i think i found a better method to nail down the version.

On iDRAC 7/8 (i'm assuming 6 also but didn't find one to test) "{{BaseURL}}/data?get=prodServerGen" seems to be a better candidate for identifying the exact version. On iDRAC9 the server generation version (and other useful info) is in "{{BaseURL}}/sysmgmt/2015/bmc/info".

I have these working on iDRAC7/8/9 and can do a PR once i shore things up.

Thanks!!

[ehsandeep]

Hey, subdirectories sounds good to me.

[kopfjager007]

Good deal, i appreciate it!